group policy/proxy question

[jeffmoss26]

At work (manufacturing company), we have the internet restricted on the shop floor PCs. This is done through a proxy in group policy. There are a few sites such as the corporate intranet that they are able to access. I'm currently trying to allow access to salesforce.com which is our CRM. I've added the various URLs to the allowed sites list in the proxy, rebooted the PCs, but still can not connect all the way through to the site. When I try to login on my PC it works just fine because nothing is blocked for me.

I'm not sure what I'm missing here.

Thanks,
Jeff

 

[C7J0yc3]

Did you just add salesforce.com to your proxy, or did you add *.salesforce.com/* Some web proxies need the wildcards because they will allow you to go to salesforce.com which automatically redirects to www.salesforce.com which the proxy doesn't have in its allow list and therefore blocks it, then when you click login it will block you again because www.salesforce.com/logon.asp is not allowed.

What proxy software you are using would be helpful, because group policy just distributes the IE settings, not the actual proxy controls.

 

[jeffmoss26]

Here is a screenshot from the GPO. There is no separate proxy software, we are just using it through Windows Server for this particular group of computers.

Thanks-

 

[aaronearles]

Wait, so you're not actually running a proxy, you just force the use of a fake proxy and add exceptions as a whitelist? lol, interesting solution... I guess it works. As c7 said, I would try the *.salesforce.com exception, instead of trying to whitelist each individual url.

You could try them locally instead of waiting for the policy to apply each time.

 

[jeffmoss26]

I inherited this setup...I've been working here a little over a month and this is what was in place. I will give the wildcard a shot, I was thinking about doing that. Could I also try running gpupdate at each PC?

 

[C7J0yc3]

Yes using gpupdate /force is much better then just restarting the computer.

 

[Biznatch]

Are the sites added to the trusted sites security group in IE? You can try that to see if one of the IE security settings is causing the authentication to fail.

Like previous posters said, if you are allowing access to the internal domain and not trying to restrict it to specific sites, just allow *.domain.com. You shouldn't need /* at the end either.

 

[marley1]

That fake proxy solution works pretty good I did that as well.

Tried wild card

 

[jeffmoss26]

Tried to add *.salesforce.com to the proxy list, did gpupdate /force on the workstation and still not able to get through.
Any other suggestions?

 

[jjeff1]

You'll want to install wireshark and see what the pc is actually doing.

It's very possible the site is pulling content (images, CSS, etc...) from another host or domain, or using akami or similar.

Though also, consider that you've spent, lets say 4 hours on this already, and several hours more, and it may never work. You're probably far better getting some type of firewall or content filter that's actually designed to do this, especially since in a month, they'll probably want to access some other business related site.

That being said, remind management that they're solving the wrong problem. If people want to goof off, they're going to do so, blocking web sites is only a mild deterrent.

 

[Biznatch]

What happens when you ping the address? Can the computer resolve the IP?

 

[Volcanon]

Tried to add *.salesforce.com to the proxy list, did gpupdate /force on the workstation and still not able to get through.
Any other suggestions?

A real proxy doesn't take much work or hardware. Might be time to do the upgrade.

 

[jeffmoss26]

I did a ping test to several of the salesforce sites and I was able to get through on the shop floor.
I just ran wireshark on my pc while logging in to salesforce and found that it goes to a page 'c.na8.force.com' so I added *.force.com and will see if that makes it work.

Thanks,
Jeff

 

[jeffmoss26]

SUCCESS!
Added the force.com domain to the proxy and I can login on those 2 computers. Thanks again!

 

[jeffmoss26]

OK to bring this up again...every 2 weeks they magically can not login to salesforce. I do a gpupdate/force and reboot and then it works again. It's not a huge deal since it's only 2 PCs, but I'd like to know why it stops working.

Thoughts?

 

[tesfaye]

Are the proxy settings still in place on the computers when access to salesforce fails? I'm thinking that you have a process, task, or something out there that's messing with the proxy setting.

You do realize that unless you lock down the computer and disable all of the registry tools a user can still edit the proxy settings even if you disable the ability to change them. The value that holds the bypass proxy setting data is in an unprotected area in a key that you probably don't want to block write access to for the user. If you only used Internet Explorer Maintenance to control the proxy then it's wide open for editing through IE. If you enabled the setting "Disable changing proxy settings", then a value gets place in the Policies key the IE checks to grey out the proxy configuration pane. This key can't be changed by the user. So it's blocked in IE, but you can get around that if you know where the proxy exclusion data is stored. I know that it's not always feasible to run out and get new software but you really should be using a proxy server product instead of relying on a method that doesn't lock down access 100%.

 

[jeffmoss26]

They are not editing anything. They barely know how to login and use the handful of programs to do their job. The proxy comes off the server through GPO anyway.
My boss did say that it's likely they don't reboot these machines often, that could be the problem.

 

[Jay_2]

odd, what does GPResult say when it fails? Do you have more than one DC in the domain? Is replication wotking ok? If SYSVOL doesn't replicate you can get a missmatch of GPOs and it can make things really odd happen.

 

[jeffmoss26]

One DC and one backup DC. I'm not familiar with GPResult but I will take a look.

 

[Jay_2]

2 DCs Backup DCs where removed with Server 2003 onward I think.

 

[jeffmoss26]

We actually have 3 DCs. Server 2003 R2.

 

[tesfaye]

They are not editing anything. They barely know how to login and use the handful of programs to do their job. The proxy comes off the server through GPO anyway.
My boss did say that it's likely they don't reboot these machines often, that could be the problem.

Wait, I'm not accusing or even suggesting that they are changing settings on their own. I'm only letting you know that your solution to lock things down is not a real solution because the potential for editing is there. It is a good stumbling block for total noob users, I'll give ya that.

I understand how group policy work -- that's why I'm chiming in. Group policy objects don't time out. They go out of scope if the user or computer object that the policy targets is moved to a container not covered by the policy (not a sub-container, container that is blocking inheritance, or is configured for user loopback processing using replace).

 

[tesfaye]

odd, what does GPResult say when it fails? Do you have more than one DC in the domain? Is replication wotking ok? If SYSVOL doesn't replicate you can get a missmatch of GPOs and it can make things really odd happen.

The thing I've noticed about Internet Explorer Maintenance is that it doesn't reapply the settings unless the policy has changed, even if "Process even if the Group Policy objects have not changed" is enabled. I think IEM has it's own way of detecting changes to it's portion of the policy and only reapplies during a GPupdate /Force or /Sync.

I won't say that the DC out of sync theory is totally impossible but the fact that the policies have versions that are tracked on the server and the computer, I don't see how an out of date policy could apply to a computer. His machines already received the correct setting at some point so they have the latest version. The inverse can and does occur where you change a policy and Sysvol isn't fully replicating and users that should receive the settings don't because the newer settings haven't replicated to the server being used for GP processing.

 

[jeffmoss26]

Thanks for the insight. It's not a huge problem to do a gpupdate when this happens, just wish I could make the problem go away

 

[Nate7311]

The quick and dirty approach of a nightly scheduled bat file to call "gpupdate /force"?

 

[jeffmoss26]

That's not a bad idea, since getting these guys to reboot is like pulling teeth.

 

[tesfaye]

The quick and dirty approach of a nightly scheduled bat file to call "gpupdate /force"?

Let's see:

1. GPUPDATE /FORCE will display a prompt. so you might want to try GPUPDATE /FORCE /BOOT or GPUPDATE /FORCE /LOGOFF. Otherwise you would need to redirect some input into the command. GPUPDATE /FORCE < (or was it <<) answerfile.txt (two liner with N on each line). But you're logging off anyway so the /Logoff switch should do it.
2. We don't know when the setting is being changed, it could be during startup. So it might be better to run the update during logon, preferably after GP and Run commands have been performed. Throw a quick batch script in Startup for the user that runs GPUPDATE /FORCE < (or was it <<) answerfile.txt (two liner with N on each line)

 

[tesfaye]

If you aren't already using GPMC.msc (Group Policy Management Console) I suggest that you check it out. It will make life a little bit easier when viewing policy settings and generating RSoP.

 

[timberdoodle]

Are you sure there aren't other policies that are getting applied on top of this one when a user logs on? Have you tried enabling loopback processing for this policy since it is for a specific machine. How is the policy scoped?

 

[Nate7311]

Let's see:

1. GPUPDATE /FORCE will display a prompt. so you might want to try GPUPDATE /FORCE /BOOT or GPUPDATE /FORCE /LOGOFF. Otherwise you would need to redirect some input into the command. GPUPDATE /FORCE < (or was it <<) answerfile.txt (two liner with N on each line). But you're logging off anyway so the /Logoff switch should do it.
2. We don't know when the setting is being changed, it could be during startup. So it might be better to run the update during logon, preferably after GP and Run commands have been performed. Throw a quick batch script in Startup for the user that runs GPUPDATE /FORCE < (or was it <<) answerfile.txt (two liner with N on each line)

Hense the phrase "Quick and Dirty" ...

Next question that plays right along into the OPs issues, What are the hours of operation of this computer. Might as well just set a scheduled reboot to aid in stability of the system as well.

 

[tesfaye]

Hense the phrase "Quick and Dirty" ...

Next question that plays right along into the OPs issues, What are the hours of operation of this computer. Might as well just set a scheduled reboot to aid in stability of the system as well.

Dude, have you tried it? It pauses if you don't explicitly tell it to logoff or reboot, so your quick and dirty isn't quite correct. Relax bro, it's still quick and dirty, I just appended the switch that would result in a reboot of logoff depending upon how he wanted to handle it.

 

[jeffmoss26]

The guys start work at 4:30 AM. I don't know if 2nd shift uses it. If so, it could be in use until 11-12 at night.